Add check_allowed_to_delegate to the DAL with a corresponding libkdb5
authorGreg Hudson <ghudson@mit.edu>
Thu, 15 Jul 2010 04:18:00 +0000 (04:18 +0000)
committerGreg Hudson <ghudson@mit.edu>
Thu, 15 Jul 2010 04:18:00 +0000 (04:18 +0000)
API, replacing the last method (CHECK_ALLOWED_TO_DELEGATE) of
db_invoke.  Remove db_invoke since it no longer has any methods.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24189 dc483132-0cff-0310-8789-dd5450dbe970

14 files changed:
src/include/kdb.h
src/kdc/kdc_util.c
src/lib/kdb/kdb5.c
src/lib/kdb/libkdb5.exports
src/plugins/kdb/db2/Makefile.in
src/plugins/kdb/db2/db2_exp.c
src/plugins/kdb/db2/kdb_db2.h
src/plugins/kdb/db2/kdb_ext.c [deleted file]
src/plugins/kdb/ldap/ldap_exp.c
src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c [deleted file]
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports

index 5b5c13221cea4571514bc967ccd386fb205dce04..c572f8b56473ed27972876196314e94f6a70475a 100644 (file)
@@ -322,16 +322,6 @@ extern char *krb5_mkey_pwd_prompt2;
 #define KRB5_DB_LOCKMODE_DONTBLOCK    0x0004
 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 
-/* db_invoke methods */
-#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE       0x00000080
-
-typedef struct _kdb_check_allowed_to_delegate_req {
-    krb5_magic magic;
-    const krb5_db_entry *server;
-    krb5_const_principal proxy;
-    krb5_const_principal client;
-} kdb_check_allowed_to_delegate_req;
-
 /* libkdb.spec */
 krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext);
 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
@@ -620,10 +610,10 @@ void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
 
 void krb5_db_refresh_config(krb5_context kcontext);
 
-krb5_error_code krb5_db_invoke ( krb5_context kcontext,
-                                 unsigned int method,
-                                 const krb5_data *req,
-                                 krb5_data *rep );
+krb5_error_code krb5_db_check_allowed_to_delegate(krb5_context kcontext,
+                                                  krb5_const_principal client,
+                                                  const krb5_db_entry *server,
+                                                  krb5_const_principal proxy);
 
 /* default functions. Should not be directly called */
 /*
@@ -1282,24 +1272,20 @@ typedef struct _kdb_vftabl {
     void (*refresh_config)(krb5_context kcontext);
 
     /*
-     * Optional: Perform an operation on input data req with output stored in
-     * rep.  Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
-     * method.  Defined methods are:
-     *
-     * KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: req contains a
-     *     kdb_check_allowed_to_delegate_req structure.  Perform a policy check
-     *     on server being allowed to obtain tickets from client to proxy.
-     *     (Note that proxy is the target of the delegation, not the delegating
-     *     service; the term "proxy" is from the viewpoint of the delegating
-     *     service asking another service to perform some of its work in the
-     *     authentication context of the client.  This terminology comes from
-     *     the Microsoft S4U protocol documentation.)  Return 0 if policy
-     *     allows it, or an appropriate error (such as KRB5KDC_ERR_POLICY) if
-     *     not.  If this method is not implemented, all S4U2Proxy delegation
-     *     requests will be rejected.  Do not place any data in rep.
+     * Optional: Perform a policy check on server being allowed to obtain
+     * tickets from client to proxy.  (Note that proxy is the target of the
+     * delegation, not the delegating service; the term "proxy" is from the
+     * viewpoint of the delegating service asking another service to perform
+     * some of its work in the authentication context of the client.  This
+     * terminology comes from the Microsoft S4U protocol documentation.)
+     * Return 0 if policy allows it, or an appropriate error (such as
+     * KRB5KDC_ERR_POLICY) if not.  If this method is not implemented, all
+     * S4U2Proxy delegation requests will be rejected.
      */
-    krb5_error_code (*invoke)(krb5_context context, unsigned int method,
-                              const krb5_data *req, krb5_data *rep);
+    krb5_error_code (*check_allowed_to_delegate)(krb5_context context,
+                                                 krb5_const_principal client,
+                                                 const krb5_db_entry *server,
+                                                 krb5_const_principal proxy);
 } kdb_vftabl;
 
 #endif /* !defined(_WIN32) */
index c0b22ce69141cd5b844f2cf235cd322bcf5f81ea..1e79273bcfec4e824b1047a2617e3166de46910a 100644 (file)
@@ -2180,47 +2180,19 @@ kdc_process_s4u2self_req(krb5_context context,
 }
 
 static krb5_error_code
-check_allowed_to_delegate_to(krb5_context context,
-                             krb5_const_principal client,
+check_allowed_to_delegate_to(krb5_context context, krb5_const_principal client,
                              const krb5_db_entry *server,
                              krb5_const_principal proxy)
 {
-    kdb_check_allowed_to_delegate_req   req;
-    krb5_data                   req_data;
-    krb5_data                   rep_data;
-    krb5_error_code             code;
-
     /* Can't get a TGT (otherwise it would be unconstrained delegation) */
-    if (krb5_is_tgs_principal(proxy)) {
+    if (krb5_is_tgs_principal(proxy))
         return KRB5KDC_ERR_POLICY;
-    }
 
     /* Must be in same realm */
-    if (!krb5_realm_compare(context, server->princ, proxy)) {
+    if (!krb5_realm_compare(context, server->princ, proxy))
         return KRB5KDC_ERR_POLICY;
-    }
-
-    req.server = server;
-    req.proxy = proxy;
-    req.client = client;
 
-    req_data.data = (void *)&req;
-    req_data.length = sizeof(req);
-
-    rep_data.data = NULL;
-    rep_data.length = 0;
-
-    code = krb5_db_invoke(context,
-                          KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE,
-                          &req_data,
-                          &rep_data);
-    if (code == KRB5_PLUGIN_OP_NOTSUPP) {
-        code = KRB5KDC_ERR_POLICY;
-    }
-
-    assert(rep_data.length == 0);
-
-    return code;
+    return krb5_db_check_allowed_to_delegate(context, client, server, proxy);
 }
 
 krb5_error_code
@@ -2432,7 +2404,6 @@ log_tgs_req(const krb5_fulladdr *from,
 
     /* OpenSolaris: audit_krb5kdc_tgs_req(...)  or
        audit_krb5kdc_tgs_req_2ndtktmm(...) */
-    /* ... krb5_db_invoke ... */
 }
 
 void
index 8118872c5b2da3245afbfb353ea83814c0d28433..7d0b84ca2b9a07eb99bb663791563239088fe3b5 100644 (file)
@@ -2330,18 +2330,18 @@ krb5_db_refresh_config(krb5_context kcontext)
 }
 
 krb5_error_code
-krb5_db_invoke(krb5_context kcontext,
-               unsigned int method,
-               const krb5_data *req,
-               krb5_data *rep)
+krb5_db_check_allowed_to_delegate(krb5_context kcontext,
+                                  krb5_const_principal client,
+                                  const krb5_db_entry *server,
+                                  krb5_const_principal proxy)
 {
-    krb5_error_code status = 0;
+    krb5_error_code ret;
     kdb_vftabl *v;
 
-    status = get_vftabl(kcontext, &v);
-    if (status)
-        return status;
-    if (v->invoke == NULL)
+    ret = get_vftabl(kcontext, &v);
+    if (ret)
+        return ret;
+    if (v->check_allowed_to_delegate == NULL)
         return KRB5_PLUGIN_OP_NOTSUPP;
-    return v->invoke(kcontext, method, req, rep);
+    return v->check_allowed_to_delegate(kcontext, client, server, proxy);
 }
index 1d7ab7b39946478c3145922d7745c880a8b3cf0e..6e890478d422947119cbf30055372102f53e6901 100644 (file)
@@ -4,6 +4,7 @@ krb5_db_inited
 krb5_db_alloc
 krb5_db_free
 krb5_db_audit_as_req
+krb5_db_check_allowed_to_delegate
 krb5_db_check_policy_as
 krb5_db_check_policy_tgs
 krb5_db_check_transited_realms
@@ -20,7 +21,6 @@ krb5_db_get_key_data_kvno
 krb5_db_get_mkey_list
 krb5_db_get_context
 krb5_db_get_principal
-krb5_db_invoke
 krb5_db_iterate
 krb5_db_lock
 krb5_db_put_principal
index fb176f4a41ea1bccc50fb0b58c9d8fa48beabeec..db570d70621a394d3e73ad0ac7431353e0c37e09 100644 (file)
@@ -54,7 +54,6 @@ SRCS= \
        $(srcdir)/adb_openclose.c \
        $(srcdir)/adb_policy.c \
        $(srcdir)/kdb_db2.c \
-       $(srcdir)/kdb_ext.c \
        $(srcdir)/pol_xdr.c \
        $(srcdir)/db2_exp.c \
        $(srcdir)/lockout.c
@@ -65,7 +64,6 @@ STLIBOBJS= \
        adb_openclose.o \
        adb_policy.o \
        kdb_db2.o \
-       kdb_ext.o \
        pol_xdr.o \
        db2_exp.o \
        lockout.o
index 24c62a434c66451508803e4c6c27c69b49885c7e..2de4bbcacbf346f59d13460163348fd3d07d3594 100644 (file)
@@ -192,13 +192,6 @@ WRAP_VOID (krb5_db2_audit_as_req,
             krb5_timestamp authtime, krb5_error_code error_code),
            (kcontext, request, client, server, authtime, error_code));
 
-WRAP_K (krb5_db2_invoke,
-        (krb5_context kcontext,
-         unsigned int method,
-         const krb5_data *request,
-         krb5_data *response),
-        (kcontext, method, request, response));
-
 static krb5_error_code
 hack_init (int dal_version)
 {
@@ -258,6 +251,5 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = {
     /* check_policy_as */               wrap_krb5_db2_check_policy_as,
     0,
     /* audit_as_req */                  wrap_krb5_db2_audit_as_req,
-    0,
-    /* invoke */                        wrap_krb5_db2_invoke
+    0, 0
 };
index a1d0d1976ef106d1ef71a991f1fd513bc99c2f37..f7c68bc91a0f27378f1c712232143599c5d3f2ff 100644 (file)
@@ -157,11 +157,4 @@ krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
                       krb5_db_entry *client, krb5_db_entry *server,
                       krb5_timestamp authtime, krb5_error_code error_code);
 
-/* methods */
-krb5_error_code
-krb5_db2_invoke(krb5_context context,
-                unsigned int method,
-                const krb5_data *req,
-                krb5_data *rep);
-
 #endif /* KRB5_KDB_DB2_H */
diff --git a/src/plugins/kdb/db2/kdb_ext.c b/src/plugins/kdb/db2/kdb_ext.c
deleted file mode 100644 (file)
index a27aa2c..0000000
+++ /dev/null
@@ -1,44 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * plugins/kdb/db2/kdb_ext.c
- *
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- *
- *
- */
-
-#include "k5-int.h"
-#include "kdb.h"
-#include <stdio.h>
-#include <errno.h>
-#include "kdb_db2.h"
-
-krb5_error_code
-krb5_db2_invoke(krb5_context context,
-                unsigned int method,
-                const krb5_data *req,
-                krb5_data *rep)
-{
-    return KRB5_PLUGIN_OP_NOTSUPP;
-}
index 76786fca4bb084067e50f7980e87e85f1712f085..55f10d9b665cce1f391c248a1c893a495edb3f39 100644 (file)
@@ -88,6 +88,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = {
     /* check_policy_tgs */                  NULL,
     /* audit_as_req */                      krb5_ldap_audit_as_req,
     /* refresh_config */                    NULL,
-    /* invoke */                            krb5_ldap_invoke,
+    /* check_allowed_to_delegate */         krb5_ldap_check_allowed_to_delegate
 
 };
index bc6c27acf211c53041361ebc245dc97b0a6c7ab5..8331650fc60e4fb60ef750014e308f2ddb48ab3d 100644 (file)
@@ -52,7 +52,6 @@ SRCS=         $(srcdir)/kdb_ldap.c \
        $(srcdir)/princ_xdr.c \
        $(srcdir)/ldap_fetch_mkey.c \
        $(srcdir)/ldap_service_stash.c \
-       $(srcdir)/kdb_ext.c \
        $(srcdir)/kdb_xdr.c \
        $(srcdir)/ldap_err.c \
        $(srcdir)/lockout.c \
@@ -74,7 +73,6 @@ STLIBOBJS= kdb_ldap.o \
        princ_xdr.o \
        ldap_fetch_mkey.o \
        ldap_service_stash.o \
-       kdb_ext.o \
        kdb_xdr.o \
        ldap_err.o \
        lockout.o
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
deleted file mode 100644 (file)
index 75b4543..0000000
+++ /dev/null
@@ -1,88 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * plugins/kdb/ldap/kdb_ext.c
- *
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- *
- *
- */
-
-#include "k5-int.h"
-#include "kdb.h"
-#include <stdio.h>
-#include <errno.h>
-#include "kdb_ldap.h"
-
-static krb5_error_code
-krb5_ldap_check_allowed_to_delegate(krb5_context context,
-                                    unsigned int method,
-                                    const krb5_data *request,
-                                    krb5_data *response)
-{
-    const kdb_check_allowed_to_delegate_req *req;
-    krb5_error_code code;
-    krb5_tl_data *tlp;
-
-    req = (const kdb_check_allowed_to_delegate_req *)request->data;
-
-    code = KRB5KDC_ERR_POLICY;
-
-    for (tlp = req->server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) {
-        krb5_principal acl;
-
-        if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL)
-            continue;
-
-        if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0)
-            continue;
-
-        if (krb5_principal_compare(context, req->proxy, acl)) {
-            code = 0;
-            krb5_free_principal(context, acl);
-            break;
-        }
-        krb5_free_principal(context, acl);
-    }
-
-    return code;
-}
-
-krb5_error_code
-krb5_ldap_invoke(krb5_context context,
-                 unsigned int method,
-                 const krb5_data *req,
-                 krb5_data *rep)
-{
-    krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
-
-    switch (method) {
-    case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE:
-        code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep);
-        break;
-    default:
-        break;
-    }
-
-    return code;
-}
index eaf10cf2efba68a96ae4769da5dfca0807fcb046..5e055116bc3f144d79dd86f3ce89f6246ee9301c 100644 (file)
@@ -549,3 +549,34 @@ krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
 {
     (void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
 }
+
+krb5_error_code
+krb5_ldap_check_allowed_to_delegate(krb5_context context,
+                                    krb5_const_principal client,
+                                    const krb5_db_entry *server,
+                                    krb5_const_principal proxy)
+{
+    krb5_error_code code;
+    krb5_tl_data *tlp;
+
+    code = KRB5KDC_ERR_POLICY;
+
+    for (tlp = server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) {
+        krb5_principal acl;
+
+        if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+            continue;
+
+        if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0)
+            continue;
+
+        if (krb5_principal_compare(context, proxy, acl)) {
+            code = 0;
+            krb5_free_principal(context, acl);
+            break;
+        }
+        krb5_free_principal(context, acl);
+    }
+
+    return code;
+}
index 939defb761613bad52152478bacfe5cb6314381e..8531b8cc68b874067894d0ec6fe276d37701a6d6 100644 (file)
@@ -307,6 +307,12 @@ krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
                        krb5_db_entry *client, krb5_db_entry *server,
                        krb5_timestamp authtime, krb5_error_code error_code);
 
+krb5_error_code
+krb5_ldap_check_allowed_to_delegate(krb5_context context,
+                                    krb5_const_principal client,
+                                    const krb5_db_entry *server,
+                                    krb5_const_principal proxy);
+
 /* DAL functions */
 
 
@@ -337,11 +343,4 @@ krb5_ldap_lockout_audit(krb5_context context,
                         krb5_timestamp stamp,
                         krb5_error_code status);
 
-/* kdb_ext.c */
-krb5_error_code
-krb5_ldap_invoke(krb5_context context,
-                 unsigned int method,
-                 const krb5_data *req,
-                 krb5_data *rep);
-
 #endif
index 6692c71699b1ce34f621073373a97dd99e3f0bd7..c10700fc4b36ea39b5c27d307fc9672becebc807 100644 (file)
@@ -46,4 +46,4 @@ krb5_ldap_set_mkey_list
 krb5_ldap_get_mkey_list
 krb5_ldap_check_policy_as
 krb5_ldap_audit_as_req
-krb5_ldap_invoke
+krb5_ldap_check_allowed_to_delegate